diff --git a/Cargo.lock b/Cargo.lock index af4cab42..6d665743 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -51,12 +51,6 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" -[[package]] -name = "bumpalo" -version = "3.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c59e7af012c713f529e7a3ee57ce9b31ddd858d4b512923602f74608b009631" - [[package]] name = "bytes" version = "1.0.1" @@ -137,15 +131,6 @@ version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ea221b5284a47e40033bf9b66f35f984ec0ea2931eb03505246cd27a963f981b" -[[package]] -name = "ct-logs" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1a816186fa68d9e426e3cb4ae4dff1fcd8e4a2c34b781bf7a822574a0d0aac8" -dependencies = [ - "sct", -] - [[package]] name = "darling" version = "0.12.4" @@ -266,6 +251,21 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "form_urlencoded" version = "1.0.1" @@ -460,32 +460,28 @@ dependencies = [ ] [[package]] -name = "hyper-rustls" -version = "0.22.1" +name = "hyper-timeout" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f9f7a97316d44c0af9b0301e65010573a853a9fc97046d7331d7f6bc0fd5a64" +checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" dependencies = [ - "ct-logs", - "futures-util", "hyper", - "log", - "rustls", - "rustls-native-certs", + "pin-project-lite", "tokio", - "tokio-rustls", - "webpki", + "tokio-io-timeout", ] [[package]] -name = "hyper-timeout" -version = "0.4.1" +name = "hyper-tls" +version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbb958482e8c7be4bc3cf272a766a2b0bf1a6755e7a6ae777f017a31d11b13b1" +checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" dependencies = [ + "bytes", "hyper", - "pin-project-lite", + "native-tls", "tokio", - "tokio-io-timeout", + "tokio-native-tls", ] [[package]] @@ -510,15 +506,6 @@ version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd25036021b0de88a0aff6b850051563c6516d0bf53f8638938edbb9de732736" -[[package]] -name = "js-sys" -version = "0.3.53" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4bf49d50e2961077d9c99f4b7997d770a1114f087c3c2e0069b36c13fc2979d" -dependencies = [ - "wasm-bindgen", -] - [[package]] name = "json-patch" version = "0.2.6" @@ -570,26 +557,25 @@ dependencies = [ "http", "http-body", "hyper", - "hyper-rustls", "hyper-timeout", + "hyper-tls", "jsonpath_lib", "k8s-openapi", "kube-core", "kube-derive", + "openssl", "pem", "pin-project 1.0.8", - "rustls", - "rustls-pemfile", "serde", "serde_json", "serde_yaml", "thiserror", "tokio", + "tokio-native-tls", "tokio-util", "tower", "tower-http", "tracing", - "webpki", ] [[package]] @@ -704,6 +690,24 @@ dependencies = [ "winapi", ] +[[package]] +name = "native-tls" +version = "0.2.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "48ba9f7719b5a0f42f338907614285fb5fd70e53858141f69898a1fb7203b24d" +dependencies = [ + "lazy_static", + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "ntapi" version = "0.3.6" @@ -748,12 +752,39 @@ version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "692fcb63b64b1758029e0a96ee63e049ce8c5948587f2f7208df04625e5f6b56" +[[package]] +name = "openssl" +version = "0.10.33" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a61075b62a23fef5a29815de7536d940aa35ce96d18ce0cc5076272db678a577" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-sys", +] + [[package]] name = "openssl-probe" version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "28988d872ab76095a6e6ac88d99b54fd267702734fd7ffe610ca27f533ddb95a" +[[package]] +name = "openssl-sys" +version = "0.9.66" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1996d2d305e561b70d1ee0c53f1542833f4e1ac6ce9a6708b6ff2738ca67dc82" +dependencies = [ + "autocfg", + "cc", + "libc", + "pkg-config", + "vcpkg", +] + [[package]] name = "ordered-float" version = "2.7.0" @@ -832,6 +863,18 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkg-config" +version = "0.3.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c" + +[[package]] +name = "ppv-lite86" +version = "0.2.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" + [[package]] name = "proc-macro-hack" version = "0.5.19" @@ -862,6 +905,46 @@ dependencies = [ "proc-macro2", ] +[[package]] +name = "rand" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e7573632e6454cf6b99d7aac4ccca54be06da05aca2ef7423d22d27d4d4bcd8" +dependencies = [ + "libc", + "rand_chacha", + "rand_core", + "rand_hc", +] + +[[package]] +name = "rand_chacha" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +dependencies = [ + "ppv-lite86", + "rand_core", +] + +[[package]] +name = "rand_core" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +dependencies = [ + "getrandom", +] + +[[package]] +name = "rand_hc" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d51e9f596de227fda2ea6c84607f5558e196eeaf43c986b724ba4fb8fdf497e7" +dependencies = [ + "rand_core", +] + [[package]] name = "redox_syscall" version = "0.2.9" @@ -899,54 +982,14 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" [[package]] -name = "ring" -version = "0.16.20" +name = "remove_dir_all" +version = "0.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +checksum = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" dependencies = [ - "cc", - "libc", - "once_cell", - "spin", - "untrusted", - "web-sys", "winapi", ] -[[package]] -name = "rustls" -version = "0.19.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" -dependencies = [ - "base64", - "log", - "ring", - "sct", - "webpki", -] - -[[package]] -name = "rustls-native-certs" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a07b7c1885bd8ed3831c289b7870b13ef46fe0e856d288c30d9cc17d75a2092" -dependencies = [ - "openssl-probe", - "rustls", - "schannel", - "security-framework", -] - -[[package]] -name = "rustls-pemfile" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5eebeaeb360c87bfb72e84abdb3447159c0eaececf1bef2aecd65a8be949d1c9" -dependencies = [ - "base64", -] - [[package]] name = "ryu" version = "1.0.5" @@ -987,16 +1030,6 @@ dependencies = [ "syn", ] -[[package]] -name = "sct" -version = "0.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "security-framework" version = "2.3.1" @@ -1139,12 +1172,6 @@ dependencies = [ "winapi", ] -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - [[package]] name = "strsim" version = "0.10.0" @@ -1162,6 +1189,20 @@ dependencies = [ "unicode-xid", ] +[[package]] +name = "tempfile" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dac1c663cfc93810f88aed9b8941d48cabf856a1b111c29a40439018d870eb22" +dependencies = [ + "cfg-if", + "libc", + "rand", + "redox_syscall", + "remove_dir_all", + "winapi", +] + [[package]] name = "termcolor" version = "1.1.2" @@ -1255,14 +1296,13 @@ dependencies = [ ] [[package]] -name = "tokio-rustls" -version = "0.22.0" +name = "tokio-native-tls" +version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +checksum = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b" dependencies = [ - "rustls", + "native-tls", "tokio", - "webpki", ] [[package]] @@ -1381,10 +1421,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" [[package]] -name = "untrusted" -version = "0.7.1" +name = "vcpkg" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" [[package]] name = "want" @@ -1402,80 +1442,6 @@ version = "0.10.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" -[[package]] -name = "wasm-bindgen" -version = "0.2.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ce9b1b516211d33767048e5d47fa2a381ed8b76fc48d2ce4aa39877f9f183e0" -dependencies = [ - "cfg-if", - "wasm-bindgen-macro", -] - -[[package]] -name = "wasm-bindgen-backend" -version = "0.2.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cfe8dc78e2326ba5f845f4b5bf548401604fa20b1dd1d365fb73b6c1d6364041" -dependencies = [ - "bumpalo", - "lazy_static", - "log", - "proc-macro2", - "quote", - "syn", - "wasm-bindgen-shared", -] - -[[package]] -name = "wasm-bindgen-macro" -version = "0.2.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44468aa53335841d9d6b6c023eaab07c0cd4bddbcfdee3e2bb1e8d2cb8069fef" -dependencies = [ - "quote", - "wasm-bindgen-macro-support", -] - -[[package]] -name = "wasm-bindgen-macro-support" -version = "0.2.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0195807922713af1e67dc66132c7328206ed9766af3858164fb583eedc25fbad" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "wasm-bindgen-backend", - "wasm-bindgen-shared", -] - -[[package]] -name = "wasm-bindgen-shared" -version = "0.2.76" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acdb075a845574a1fa5f09fd77e43f7747599301ea3417a9fbffdeedfc1f4a29" - -[[package]] -name = "web-sys" -version = "0.3.53" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "224b2f6b67919060055ef1a67807367c2066ed520c3862cc013d26cf893a783c" -dependencies = [ - "js-sys", - "wasm-bindgen", -] - -[[package]] -name = "webpki" -version = "0.21.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "winapi" version = "0.3.9" diff --git a/Dockerfile.sdk_openssl b/Dockerfile.sdk_openssl new file mode 100644 index 00000000..211bd01c --- /dev/null +++ b/Dockerfile.sdk_openssl @@ -0,0 +1,29 @@ +ARG ARCH +FROM public.ecr.aws/bottlerocket/bottlerocket-sdk-${ARCH}:v0.22.0 as build +ARG ARCH +ARG OPENSSL_VERSION=1.1.1k +ARG OPENSSL_SHA256SUM=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 +USER root + +# Build openssl using musl toolchain for openssl-sys crate +RUN dnf install -y perl +RUN mkdir /musl && \ + echo "/musl/lib" >> /etc/ld-musl-${ARCH}.path && \ + ln -s /usr/include/${ARCH}-linux-gnu/asm /${ARCH}-bottlerocket-linux-musl/sys-root/usr/include/asm && \ + ln -s /usr/include/asm-generic /${ARCH}-bottlerocket-linux-musl/sys-root/usr/include/asm-generic && \ + ln -s /usr/include/linux /${ARCH}-bottlerocket-linux-musl/sys-root/usr/include/linux + +RUN curl -O -sSL https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz && \ + echo "${OPENSSL_SHA256SUM} openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum --check && \ + tar -xzf openssl-${OPENSSL_VERSION}.tar.gz && \ + cd openssl-${OPENSSL_VERSION} && \ + ./Configure no-shared no-async -fPIC --prefix=/musl --openssldir=/musl/ssl linux-${ARCH} && \ + env C_INCLUDE_PATH=/musl/include/ make depend 2> /dev/null && \ + make -j && \ + make install && \ + cd .. && rm -rf openssl-${OPENSSL_VERSION} + +# We need these environment variables set for building the `openssl-sys` crate +ENV PKG_CONFIG_ALLOW_CROSS=1 +ENV OPENSSL_STATIC=true +ENV OPENSSL_DIR=/musl diff --git a/Makefile b/Makefile index b7e28899..ca06c261 100644 --- a/Makefile +++ b/Makefile @@ -1,8 +1,25 @@ -.PHONY: example-test-agent-container +.PHONY: sdk-openssl example-test-agent-image controller-image images -# Build a container image for daemon and tools. -example-test-agent-container: - docker build \ - --network=host \ - --tag 'example_test_agent' \ +ARCH=$(shell uname -m) + +images: controller-image + +# Augment the bottlerocket-sdk image with openssl built with the musl toolchain +sdk-openssl: + docker build $(DOCKER_BUILD_FLAGS) \ + --build-arg ARCH="$(ARCH)" \ + --tag "bottlerocket-sdk-openssl-$(ARCH)" \ + -f Dockerfile.sdk_openssl . + +# Build the container image for the example test-agent program +example-test-agent-image: sdk-openssl + docker build $(DOCKER_BUILD_FLAGS) \ + --build-arg ARCH="$(ARCH)" \ + --tag "example-testsys-agent" \ -f test-agent/examples/example_test_agent/Dockerfile . + +controller-image: sdk-openssl + docker build $(DOCKER_BUILD_FLAGS) \ + --build-arg ARCH="$(ARCH)" \ + --tag "testsys-controller" \ + -f controller/Dockerfile . diff --git a/client/Cargo.toml b/client/Cargo.toml index 03be5c9a..204fa57a 100644 --- a/client/Cargo.toml +++ b/client/Cargo.toml @@ -7,7 +7,7 @@ publish = false [dependencies] # k8s-openapi must match the version required by kube and enable a k8s version feature k8s-openapi = { version = "0.13.0", default-features = false, features = ["v1_20"] } -kube = { version = "0.59.0", default-features = false, features = ["client", "derive", "rustls-tls"] } +kube = { version = "0.59.0", default-features = true, features = [ "derive"] } log = "0.4" schemars = "0.8" serde = { version = "1", features = [ "derive" ] } diff --git a/controller/Cargo.toml b/controller/Cargo.toml index 8c7a39a4..2a038b03 100644 --- a/controller/Cargo.toml +++ b/controller/Cargo.toml @@ -9,7 +9,7 @@ env_logger = "0.9" futures = "0.3" # k8s-openapi must match the version required by kube and enable a k8s version feature k8s-openapi = { version = "0.13.0", default-features = false, features = ["v1_20"] } -kube = { version = "0.59.0", default-features = false, features = ["client", "derive", "rustls-tls"] } +kube = { version = "0.59.0", default-features = true, features = [ "derive"] } kube-runtime = "0.59.0" log = "0.4" schemars = "0.8" diff --git a/controller/Dockerfile b/controller/Dockerfile new file mode 100644 index 00000000..3274a4fb --- /dev/null +++ b/controller/Dockerfile @@ -0,0 +1,16 @@ +ARG ARCH +FROM bottlerocket-sdk-openssl-${ARCH} as build +ARG ARCH +USER root + +ADD ./ /src/ +WORKDIR /src/controller +RUN cargo install --locked --target ${ARCH}-bottlerocket-linux-musl --path . --root ./ + +FROM scratch +# Copy CA certificates store +COPY --from=public.ecr.aws/amazonlinux/amazonlinux:2 /etc/ssl /etc/ssl +COPY --from=public.ecr.aws/amazonlinux/amazonlinux:2 /etc/pki /etc/pki +COPY --from=build /src/controller/bin/controller ./ + +ENTRYPOINT ["./controller"] diff --git a/test-agent/examples/example_test_agent/Dockerfile b/test-agent/examples/example_test_agent/Dockerfile index 78425483..9058b00e 100644 --- a/test-agent/examples/example_test_agent/Dockerfile +++ b/test-agent/examples/example_test_agent/Dockerfile @@ -1,7 +1,16 @@ -# TODO Use Bottlerocket SDK -FROM rust:1.53.0 -WORKDIR /src +ARG ARCH +FROM bottlerocket-sdk-openssl-${ARCH} as build +ARG ARCH +USER root + ADD ./ /src/ WORKDIR /src/test-agent -RUN cargo install --path . --example example_test_agent --root ./ -ENTRYPOINT ["/src/test-agent/bin/example_test_agent"] +RUN cargo install --locked --target ${ARCH}-bottlerocket-linux-musl --path . --example example_test_agent --root ./ + +FROM scratch +# Copy CA certificates store +COPY --from=public.ecr.aws/amazonlinux/amazonlinux:2 /etc/ssl /etc/ssl +COPY --from=public.ecr.aws/amazonlinux/amazonlinux:2 /etc/pki /etc/pki +COPY --from=build /src/test-agent/bin/example_test_agent ./ + +ENTRYPOINT ["./example_test_agent"] diff --git a/yamlgen/Cargo.toml b/yamlgen/Cargo.toml index 0c9ed2de..43ccbc92 100644 --- a/yamlgen/Cargo.toml +++ b/yamlgen/Cargo.toml @@ -6,5 +6,5 @@ publish = false [build-dependencies] client = { path = "../client" } -kube = { version = "0.59.0", default-features = false, features = ["client", "rustls-tls"] } +kube = { version = "0.59.0", default-features = true, features = [ "derive"] } serde_yaml = "0.8"